Google researchers have at last responded to a hacker who says he's uncovered more than 40 YouTube flaws that put users at risk. Christian Matthies, says he's been trying to get the attention of Google bug squashers for the past several months, but was unsuccessful in getting a single reply to his emails warning of the …
Refreshingly honest security researcher
After all the recent news about security researchers who either want to auction off their work to the highest bidder or who want to cause harm to the companies in question, it's really refreshing to see a security researcher who retains the old values of guarded disclosure and gentle escalation, with Internet safety as his motivation rather than fame or money.
Sometimes the threat of full disclosure is the only way to get someone's attention. The fear of looking bad frequently works where more gentle prodding and requests fails. I'm just surprised they didn't sue him or have him arrested. Of course, had it been someone less reputable, they would never have know who it was, just that the vulns suddenly showed up on a full disclosure site. Or some zero day attacks hit (given their seeming lack of interest, these might have turned into 6 month old attacks).
I think the majority of security researchers act in this manner
Sure there are people out there that don't, but I think the majority do.
The issue of making money from flaws is a different one in my view. Most of those that do this, also release the information necessary to fix the flaw to the developer of the software affected. These are the good guys. They effectively sell a fix to legitimate business (not malware authors or the Russian Mafia), and at the same time either get those businesses to report the details of the flaw to Microsoft, Google, whomever - or they do so directly themselves.
Remember most of the time if these guys don't find and report these flaws, the first Microsoft et all know about it is when regular users get hit by malware.
Yes there are mercenaries out there, yes there are plenty of kiddies who use and disclose this info for mischief or cash in to the highest bidder.
But my experience has been that most security researchers are responsible people who act in the same way as this guy. And if they decide to make a few dollars to pay the bills, as long as it does no one any harm why not?
Google getting to big?
Is it me or is the hippy hugging Google loosing it's shine in pursuit of ever bigger market share?
Lax response to flaws...
Stomping over data Protection....
Buying out everyone possible....
Google is getting more like MS every day....